On Tue, Apr 8, 2014 at 2:08 PM, Keith Keller kkeller@wombat.san-francisco.ca.us wrote:
On 2014-04-08, Robert Arkiletian robark@gmail.com wrote:
if you include libcrypto in the grep then sshd is affected.
That's unfortunate. :( Is the bug in libssl, libcrypto, or both?
Since sshd is in doubt, I would like to force my users to change their password, which is stored on a central openldap server. What's the canonical CentOS way to do this? I've done some web searches for some answers, but haven't found anything really definitive, just some workarounds and some crude hacks.
I'm not positive but from reading other forums it seems sshd is *not* affected.
http://security.stackexchange.com/questions/55076/what-should-a-website-oper... ----snip--- It's worth pointing out that OpenSSH is not affected by the OpenSSL bug. While OpenSSH does use openssl for some key-generation functions, it does not use the TLS protocol (and in particular the TLS heartbeat extension that heartbleed attacks). So there is no need to worry about SSH being compromised, though it is still a good idea to update openssl to 1.0.1g or 1.0.2-beta2 (but you don't have to worry about replacing SSH keypairs). ----snip----
Can someone confirm the above to be true.